Part 2 of this article will demonstrate what the existence of the prefetch file itself can tell you. Examining the contents of the prefetch directory can provide a storyline of activity on a computer system because the prefetch file captures the activity of applications that were first or subsequently executed. By using a tool, such as Guidance Software’s EnCase¹ or WinPrefetch View,² you can extract the prefetch files and just view the file’s creation or last access time stamp. First and foremost, the existence of the prefetch file shows that a certain application not only existed on the computer, but has at one time been executed. By sorting the entries by file creation or last access time it is possible to see what applications were executed on the system and to see what activity might have occurred on the system.

For instance, the entries in Figure 1 show that on April 9, 2010, two separate cmd.exe programs were executed. After the second cmd.exe (cmd.exe-5D0264ff.pf) was executed the application CONSENT.exe was executed (as shown by consent.exe-65f6206D.pf), which indicates the computer system is a Vista or Windows 7 system. The consent.exe program is the popup window that is presented to the user when requesting a program that requires administrator access, such as the MMC.exe application, which was executed ten seconds after CONSENT.exe. The presence of the prefetch files indicates that on April 9, 2010, at 1:16 PM two instances of CMD.exe were executed from different locations, followed by the execution of the program MMC.exe. This event spawned the execution of CONSENT.exe (this file will be executed first before MMC.exe even though chronologically MMC.exe was executed first). The MMC program is the Microsoft Management Console program and used to manage user accounts, Windows Events logs, disk management, and other management programs. Figure 1 also shows that the application PSEXEC.exe was executed, which is a command-line tool that allows a user to execute commands remotely on a computer system.

Click for larger image.
Figure 1: Analyzing the Prefetch Folder

So what can prefetch files tell you? The existence of two prefetch files with the same application prefix and different trailing hashes would be indicative of two files (i.e. I) that were executed from two different locations. The eight-character hash that exists in the prefetch file’s name is based on the location from which the application was executed. In this example, a rogue CMD.exe was executed from a different location than Windows\System32. This scenario can also detect a possible malware infection in which the malware was executed in one location, say the desktop or temp directory, then removed itself from the original location and placed a copy in Windows\System32, then re-executed itself once it changed locations. This would cause the creation of two instances of the same prefetch file prefix with two different eight-character trailing hashes. If during a forensic exam there are two prefetch files located with different trailing hashes, and the examiner needs to determine the location the file was executed from, the examiner can reverse engineer the location through trial and error. There is no magic algorithm that will allow you to plug in a formula and reproduce the path from which the application was executed. However, since the eight-character hash was created from an algorithm using the executed file’s location you can take any file, rename it to the prefix of the prefetch file (i.e. calc.exe), and place it in different suspected directories. Then execute the file and monitor the prefetch directory until the trailing hash file matches. This process is very time consuming so it is wise to focus on suspect directories.